Re: list of questions raised during ambient light privacy review

(regrets for having to miss the PING call in a few hours)

to this thread:
* WHO can and does have access to the data?
- the 'who' being defined as a categorical stakeholder in the relevant
ecosystem
- answering 'does' would depend on how dynamic the questions' outputs
are from the developer's perspective, and what the developer's optics
are... so, it may not be appropriate for this reference doc.

as for the conceptual framework upon which to present these (and other)
questions, at the risk of stating the obvious, the questions fall along
the same parameters as we see with sound user-facing privacy
policies.... and appropriately so.  therefore, it makes sense to mirror
and organize around the generic who, what, when, where, how, why (and
the more specific OECD-derived principles) constructs ... leaving us
with a developer reference methodology for creating and assessing web
API specs that's evaluated against familiar privacy/data protection
requirements (or, interests).

/erin


Erin E. Kenneally, M.F.S., J.D.
CEO, Founder
eLCHEMY, Inc.
8677 Villa La Jolla Dr., #1133
La Jolla, CA  92037
www.elchemy.org
On 4/22/13 2:47 AM, Robin Wilton wrote:
> Nick - 
> 
> That's excellent, thank you!
> 
> I have one addition to suggest (something that occurred to me more
> recently than the discussion). It relates to two already-identified risks:
> 
>>
>> * What other data could this record be correlated with? (e.g. the ISP)
>> [dsinger]
>>
>> * If you had large amounts of this data about one person, what
>> conclusions would it enable you to draw? (e.g. maybe you could
>> estimate location from many ambient light events by estimating
>> latitude and longitude from the times of sunrise and sunset)
>> [dsinger, tonyr]
> 
> The additional use-case I thought of has to do with what happens if
> you're able to correlate the ambient light events from two discrete
> devices. If they show the same event profile, you might infer that the
> two devices are co-located. That represents two kinds of privacy risk:
> (1) that you can infer that two people are (or were) co-located at a
> given time, and (2) that you can frustrate an individual's attempts to
> maintain separation of two "personas" (say, Home and Work) by having a
> dedicated device for each.
> 
> Hope this is useful - 
> 
> Robin
> 
> 
> Robin Wilton
> Technical Outreach Director - Identity and Privacy
> Internet Society
> 
> email: wilton@isoc.org <mailto:wilton@isoc.org>
> Phone: +44 705 005 2931
> Twitter: @futureidentity
> 
> 
> 
> 
> On 20 Apr 2013, at 04:34, Nicholas Doty wrote:
> 
>> Robin W. and others raised the point that it might be useful to
>> consolidate the questions that different reviewers asked during
>> privacy reviews of the Ambient Light API. I've tried to extract that
>> list from those threads and included my results below (and marked the
>> people that mentioned a question in [brackets]).
>>
>> I do not yet believe that all of these questions must be
>> asked/answered regarding every Web spec or API, that this list is
>> exhaustive or usefully framed. But I think it might be a nice starting
>> point. As Frank D. has noted, checklists are often a good first step
>> towards systematic reviews.
>>
>> * can the information be used (alone or in combination with other APIs
>> / sources of information) to fingerprint a device or user?
>> [tlr, erin, npdoty, others]
>>
>> * may I access to the information I created?
>> [karl]
>>
>> * may I record it myself (locally)?
>> [karl]
>>
>> * am I able to have actions on this personal record?
>> [karl]
>>
>> * may I block partly or totally the record of the information?
>> [karl, tonyr]
>>
>> * may I fake it? (think about fuzzy geolocation or voluntary fake
>> location)
>> [karl]
>>
>> * Is the data personally-derived, i.e. derived from the interaction of
>> a single person, or their device or address?  (If so, even if
>> anonymous, it might be re-correlated)
>> [dsinger]
>>
>> * Does the data record contain elements that would enable such
>> re-correlation?  (examples include an IP address, and so on)
>> [dsinger]
>>
>> * What other data could this record be correlated with? (e.g. the ISP)
>> [dsinger]
>>
>> * If you had large amounts of this data about one person, what
>> conclusions would it enable you to draw? (e.g. maybe you could
>> estimate location from many ambient light events by estimating
>> latitude and longitude from the times of sunrise and sunset)
>> [dsinger, tonyr]
>>
>> * Am I likely to know if information is being collected?
>> [wseltzer]
>>
>> * How visible is its collection and or use?
>> [wseltzer, tonyr]
>>
>> * Do I get feedback on the patterns that the information could reveal
>> (at any instant, over time) so I can adjust behaviors?
>> [wseltzer]
>>
>> * if a background event about the device is fired in all browsing
>> contexts, does it allow correlation of a user across contexts?
>> [npdoty]
>>
>> * can code on a page send signals that can be received by device
>> sensors on nearby devices?
>> [npdoty, tonyr]
>>
>> And while we're gathering checklists of questions, we might look at
>> the old Morris/Davidson doc for Internet specification authors that
>> had some questions related to privacy:
>> http://tools.ietf.org/id/draft-morris-policy-considerations-00.txt
>> (In particular: "4. Questions about Technical Characteristics or
>> Functionality" and then privacy discussion in Section 5.)
>> And the IAB Privacy Considerations for Internet Protocols contains
>> lists of questions in the "Guidelines" section:
>> http://tools.ietf.org/html/draft-iab-privacy-considerations-08
>>
>> This satisfies my ACTION-2.
>>
>> Thanks,
>> Nick
> 

-- 



This email message is for the sole use of the intended recipient[s] and
may contain privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by phone or reply email and destroy
all copies of the original message.

Received on Thursday, 25 April 2013 14:49:57 UTC